doula2426 2011-05-31 21:43
浏览 23
已采纳

禁止他们后选择性地启动登录用户

Hello StackOverflow Community:

Here is a tricky situation. Suppose that 20 users are logged-in to my webapp and I, the admin, (from a different computer and browser) ban 3 of them, how then do I kick out those 3 logged-in users that I just banned? It seems to be a matter of deleting their sessions/cookies, but how do I know which sessions to delete/invalidate and how to access them?

Just so you know, this project is in CakePHP and I'm using Memcache as the engine to store sessions. I already tried an option discussed in the cakephp channel that goes like this:

  1. When user log-ins, his session_id (e.g. sd19eIVasdokja021dnasd) is stored in memcached along with his user id (e.g. the one in db: 323). This way, the user's db record is associated with his session_id within the server. Some code: Cache::write('user_session_id_' . $this->Auth->user('id'), $this->Session->id());

  2. After the model sets the user's banned column to 1, I lookup if a Memcache key with the user's id exists, from which I retrieve the session id. I then delete the Memcache key: if ($this->save(array('User' => array('id' => $userId, 'banned' => 1)), false)) {
    $userSessionId = Cache::read('user_session_id_' . $userId);
    if ($userSessionId !== false) {
    Cache::delete($userSessionId);
    Cache::delete('user_session_id_' . $userId);
    } }

  3. It doesn't work, the user is still logged-in. I'm very sure I have to destroy/invalidate cookies though, in which case there is probably no way to alter other users cookies, right?

FOLLOWUP AND SOLUTION:

I was able to solve this by following this... Remotely destroy a session in php (user logs in somewhere else)?

...and also this (a bit pseudo-code within the User model that actually evolved from my point number two above)(Note that my point number one listed above is also needed, due to line six below):

foreach ($bannedUsers as $userId) {  
    if ($this->save(array('User' => array(  
        'id' => $userId,  
        'banned' => 1, 
        'ban_date' => date('Y-m-d H:i:s'))), false)) {  
            $userSessionId = Cache::read('user_session_id_' . $userId);  
            if ($userSessionId !== false) {  
                $Session->id($userSessionId);  
                $Session->write('Auth', '');  
                Cache::delete('user_session_id_' . $userId);  
            }  
    }  
}
  • 写回答

1条回答 默认 最新

  • duanchu3376 2011-05-31 21:49
    关注

    You seem to be doing something wrong with your app. The idea of the SESSION/COOKIE system is that the SESSION id stored is matched at the beginning of each request made to the server with the COOKIE that the browser sends. If they don't match, the app simply exits and shows the logon page. Thus, if you are able to delete the SESSION id correctly, there is no way that a particular user is not logged off unless you are not checking the SESSION/COOKIE match that you should at the first line of every page.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 一道python难题
  • ¥15 用matlab 设计一个不动点迭代法求解非线性方程组的代码
  • ¥15 牛顿斯科特系数表表示
  • ¥15 arduino 步进电机
  • ¥20 程序进入HardFault_Handler
  • ¥15 oracle集群安装出bug
  • ¥15 关于#python#的问题:自动化测试
  • ¥20 问题请教!vue项目关于Nginx配置nonce安全策略的问题
  • ¥15 教务系统账号被盗号如何追溯设备
  • ¥20 delta降尺度方法,未来数据怎么降尺度